Hello all,
the other day I had to work on an image of a PC coming from an Internet Cafe where I found that Deep Freeze was installed. After having done some research about that piece of software I know what it is supposed to do - ensure that all changes to the filesystem are gone after a reboot (and it obviously does it's job) - but I would be interested to know a bit more about how that software works.
What I've found so far is that the data is still on the drive located within the range of unallocated clusters. Furthermore using "Recover Folders" in EnCase shows a lot of folders and files, one of these folders is named "." so it looks to me like Deep Freeze uses that folder "." as some kind of a virtual root directory.
What I don't understand is that within these recovered folders there are basically all files with non-resident data marked as "deleted, overwritten" and the overwriting files are part of the operating system (these files were on the drive long time before the overwritten files), only the files with resident data are recoverable.
I would really appreciate if there is somebody out there who can shed some light on this (what I found so far is just documentation about how to install and use that software but not at least some high level overview about how it works).
Thanks in advance
chris